Shared Queues

Amazon SQS includes methods to share your queues so others can use them, using permissions
set in an access control policy. A permission gives access to another user to use your queue in some particular way. A policy is the actual document that contains the permissions you've granted.

Amazon SQS offers two methods for setting a policy: a simple API and an advanced API.
In the simple API, Amazon SQS generates an access control policy for you. In the advanced
API, you create the access control policy.

Simple API for Shared Queues

With the simple API, Amazon SQS writes the policy in the required language for you
based on
the information you include in the AddPermission operation. However, the
policy that Amazon SQS generates is limited in scope. You can grant permissions
to
principals, but you can't specify restrictions.

Advanced API for Shared Queues

With the advanced API, you write the policy yourself directly in the IAM policy language
and upload the policy with the SetQueueAttributes operation. The advanced API allows
you to deny access or to apply finer access restrictions (for example, based
on
time or based on IP address).

Understanding Resource-Level Permissions

A permission is the type of access you give to a principal (the user
receiving the permission). You give each permission a label that identifies that
permission. If you want to delete that permission in the future, you use that
label to identify the permission. If you want to see what permissions are on
a
queue, use the GetQueueAttributes operation. Amazon SQS returns the entire
policy (containing all the permissions). Amazon SQS supports the permission types
shown in the following table.

Note

To allow anonymous access, you must write your own policy.

Permission

Description

*

This permission type grants the following actions to a principal on a shared queue:
change a message's visibility, delete messages, get a queue's
attributes, get a queue's URL, receive messages, and send
messages.

ChangeMessageVisibility

This grants permission to extend or terminate the read lock timeout
of a specified message. ChangeMessageVisibilityBatch
inherits permissions associated with
ChangeMessageVisibility. For more information about
visibility timeout, see Visibility Timeout. For more information, see the
ChangeMessageVisibility operation.

DeleteMessage

This grants permission to delete messages from the queue.
DeleteMessageBatch inherits permissions associated with
DeleteMessage. For more information, see the
DeleteMessage operation.

GetQueueAttributes

This grants permission to get all of the queue attributes except the policy, which
can
only be accessed by the queue's owner. For more information, see the
GetQueueAttributes operation.

GetQueueUrl

This grants permission to get a queue's URL. For more information, see the GetQueueUrl operation.

ReceiveMessage

This grants permission to receive messages in the queue. For more information, see
the
ReceiveMessage operation.

SendMessage

This grants permission to send messages to the queue. SendMessageBatch
inherits permissions associated with SendMessage. For more
information, see the SendMessage operation.

Note

Setting permissions for SendMessage, DeleteMessage, or
ChangeMessageVisibility also sets permissions for the corresponding
batch versions of those actions: SendMessageBatch,
DeleteMessageBatch, and ChangeMessageVisibilityBatch.
Setting permissions explicitly on SendMessageBatch,
DeleteMessageBatch, and ChangeMessageVisibilityBatch
isn't allowed.

Permissions for each of the different permission types are considered separate permissions
by
Amazon SQS, even though * includes the access provided by the other
permission types. For example, it's possible to grant both * and
SendMessage permissions to a user, even though a *
includes the access provided by SendMessage.

This concept applies when you remove a permission. If a principal has only a
* permission, requesting to remove a SendMessage
permission does not leave the principal with an "everything but" permission.
Instead, the
request does nothing, because the principal did not previously possess an explicit
SendMessage permission.

If you want to remove * and leave the principal with just the
ReceiveMessage permission, first add the ReceiveMessage permission,
then remove the * permission.

Note

You give each permission a label that identifies that permission. If you want to delete
that permission in the future, you use that label to identify the permission.

Note

If you want to see what permissions are on a queue, use the GetQueueAttributes operation. The entire policy (containing all
the permissions) is returned.

Granting Anonymous Access to a Queue

You can allow shared queue access to anonymous users. Such access requires no signature
or Access Key ID.